Updated to be much stricter about usage.

openrisc · Jan 5, 2011 · 0c0d3fe · 0c0d3fe
1 parent 9d605c4
commit 0c0d3fe
Show file tree

Hide file tree

Showing 2 changed files with 145 additions and 69 deletions.
diff --git a/brend.sh b/brend.sh
@@ -26,23 +26,31 @@
 
 # Pre-requisites: bridge-utils must be installed.
 
-# Usage: ./brset.sh <bridge> <eth> <mac> <tap> [<tap> <tap> ...]
+# Usage: ./brend.sh <bridge> <eth> <tap>
 
 # - <bridge> is the bridge interface to use, e.g. br0
 # - <eth> is the hardware ethernet interface to use, e.g. eth0
-
-# The tap interface can subsequently be deleted (so long as no one else is
-# using it) with
-
-# openvpn --rmtun --dev tap<n>
-
-# Define Bridge Interface
+# - <tap> is the tap interface to use, e.g. tap0
+
+# Check we have the right number of arguments
+if [ "x$#" != "x3" ]
+then
+    echo "Usage: ./brend.sh <bridge> <eth> <tap>"
+    exit 1
+fi
+
+# Check we are root
+euid=`id -un`
+if [ "x${euid}" != "xroot" ]
+then
+    echo "Must run as root"
+    exit 1
+fi
+
+# Break out the arguments
 br=$1
-shift
-
-# Host ethernet interface to use
-eth=$1
-shift
+eth=$2
+tap=$3
 
 # Determine the IP address, netmask and broadcast of the bridge.
 eth_ip=`ifconfig $br | \
@@ -58,18 +66,53 @@ eth_broadcast=`ifconfig $br | \
         head -1 | \
         sed -e 's/^.*Bcast:\([^ \t]*\).*$/\1/'`
 
-# Define list of TAP interfaces to be bridged,
-tap=$*
-
-echo "Deleting bridge $br"
-echo "  Host Ethernet device: $eth"
-echo "  Host IP address:      $eth_ip"
-echo "  Host netmask:         $eth_netmask"
-echo "  Host broadcast:       $eth_broadcast"
-
-# Delete the bridge
-ifconfig $br down
-brctl delbr $br
-
-# Restore the Ethernet interface
-ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast
+# Close the firewall to the tap and bridge
+iptables -D INPUT -i ${tap} -j ACCEPT
+iptables -D INPUT -i ${br} -j ACCEPT
+iptables -D FORWARD -i ${br} -j ACCEPT
+
+# Take down the bridge and delete it
+ifconfig ${br} down
+
+if [ $? != 0 ]
+then
+    echo "Failed to take down ${br}"
+    exit 1
+fi
+
+brctl delbr ${br}
+
+if [ $? != 0 ]
+then
+    echo "Failed to take delete ${br}"
+    exit 1
+fi
+
+# Delete the TAP interface. Note we mustn't have anything using it. It's
+# rather harsh, but we use fuser to ensure this (it will take out all users of
+# any TAP/TUN interface).
+fuser -k /dev/net/tun
+openvpn --rmtun --dev ${tap}
+
+if [ $? != 0 ]
+then
+    echo "Failed to remove ${tap}"
+    exit 1
+fi
+
+# Restore the Ethernet interface. We could use ifconfig with the IP address,
+# netmask and broadcast mask from earlier, but this does not seem to work in a
+# DHCP world
+#   ifconfig ${eth} ${eth_ip} netmask ${eth_netmask} broadcast ${eth_broadcast}
+# Instead we use a single shot dhcp configuration. In future the extant eth0
+# dhclient will refresh the lease.
+dhclient -1 -d ${eth0}
+
+if [ $? != 0 ]
+then
+    echo "Failed to get lease for ${eth}"
+    exit 1
+fi
+
+# Kill the outstanding br0 DHCL client
+kill `ps ax | grep "dhclient.*${br}" | grep -v "grep" | cut -c 1-5`
diff --git a/brstart.sh b/brstart.sh
@@ -26,26 +26,37 @@
 
 # Pre-requisites: bridge-utils must be installed.
 
-# Usage: ./brset.sh <bridge> <eth> <tap> [<tap> <tap> ...]
+# Usage: ./brstart.sh <username> <groupname> <bridge> <eth> <tap>
 
 # - <bridge> is the bridge interface to use, e.g. br0
 # - <eth> is the hardware ethernet interface to use, e.g. eth0
 # - <tap> is/are the persistent TAP interface(s)
 
-# The tap interfaces must have been previously set up persistently by the
-# superuser using for example:
-
-# openvpn --mktun --dev tap<n> --user <username> --group <groupname>
-
-# Define Bridge Interface
-br=$1
-shift
-
-# Host ethernet interface to use
-eth=$1
-shift
-
-# Determine the IP address, netmask and broadcast of the host.
+# Check we have the right number of arguments
+if [ "x$#" != "x5" ]
+then
+    echo "Usage: ./brstart.sh <username> <groupname> <bridge> <eth> <tap>"
+    exit 1
+fi
+
+# Check we are root
+euid=`id -un`
+if [ "x${euid}" != "xroot" ]
+then
+    echo "Must run as root"
+    exit 1
+fi
+
+# Break out the arguments
+username=$1
+groupname=$2
+br=$3
+eth=$4
+tap=$5
+
+# Determine the IP address, netmask and broadcast of the current Ethernet
+# interface. This is used if the bridge is set up manually, rather than using
+# DHCP.
 eth_ip=`ifconfig $eth | \
         grep "inet addr" | \
         head -1 | \
@@ -59,34 +70,56 @@ eth_broadcast=`ifconfig $eth | \
         head -1 | \
         sed -e 's/^.*Bcast:\([^ \t]*\).*$/\1/'`
 
-# Define list of TAP interfaces to be bridged,
-tap=$*
+# Create the TAP interface
+openvpn --mktun --dev ${tap} --user ${username} --group ${groupname}
 
-echo "Creating bridge $br"
-echo "  Host Ethernet device: $eth"
-echo "  Host IP address:      $eth_ip"
-echo "  Host netmask:         $eth_netmask"
-echo "  Host broadcast:       $eth_broadcast"
-echo "  Target TAP device(s): $tap"
+if [ $? != 0 ]
+then
+    echo "Failed to create ${tap}"
+    exit 1
+fi
 
 # Create the bridge
-brctl addbr $br
-
-# Add the host Ethernet and TAP interfaces
-brctl addif $br $eth
-
-for t in $tap; do
-    brctl addif $br $t
-done
-
-# Remove the IP addresses of the underlying interfaces
-ifconfig $eth 0.0.0.0 promisc up
-
-for t in $tap; do
-    ifconfig $t 0.0.0.0 promisc up
+brctl addbr ${br}
+
+if [ $? != 0 ]
+then
+    echo "Failed to create ${br}"
+    exit 1
+fi
+
+# Add the host Ethernet and TAP interfaces, removing the IP addresses of the
+# underlying interfaces.
+for i in ${eth} ${tap}
+do
+    # Add the interface
+    brctl addif ${br} ${i}
+
+    if [ $? != 0 ]
+    then
+	echo "Failed to create ${i}"
+	exit 1
+    fi
+
+    # Remove the IP address
+    ifconfig ${i} 0.0.0.0 promisc up
+
+    if [ $? != 0 ]
+    then
+	echo "Failed to remove IP interface of ${i}"
+	exit 1
+    fi
 done
 
-# Reconfigure the bridge to have the Ethernet address that had been used just
-# by $eth.
-# ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
-dhclient $br
+# Reconfigure the bridge to have the appropriate Ethernet address. This uses
+# dhclient to get the information from DHCP, but we could instead use
+# ifconfig and the data about the original IP address, netmask and broadcast
+# mask as follows:
+#   ifconfig ${br} ${eth_ip} netmask ${eth_netmask} broadcast ${eth_broadcast}
+dhclient ${br}
+
+# Open up firewall to the tap and bridge. We have a generic reject at the end
+# of the chain, so we insert these at the start.
+iptables -I INPUT 1 -i ${tap} -j ACCEPT
+iptables -I INPUT 1 -i ${br} -j ACCEPT
+iptables -I FORWARD 1 -i ${br} -j ACCEPT